RE: msblast.exe --> DDoS against windowsupdate.com (research)

From: Christopher Lyon (cslyonat_private)
Date: Wed Aug 13 2003 - 23:57:44 PDT

Next message: Dennis: "Analysis/decompilation of main() of the msblast worm"

Previous message: Robert Ahnemann: "RE: [Full-Disclosure] Re: new msblaster on the loose?"
Maybe in reply to: Sekurity Wizard: "msblast.exe --> DDoS against windowsupdate.com (research)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I did infect a machine with msblaster (Windows XP straight out of the
box) and put the machine behind a cheapy firewall using private
addresses. I was able to get out to the internet but I did end up
blocking everything from this host outbound. Figured I didn't want to
contribute spreading this thing. I confirmed that the host was running
the virus and trying to go outbound on 135. Once I did that, I put the
clock at 23:59 on the 15th and waited. Nothing happened so @ 00:15 I
rebooted, once I rebooted, that is when the DoS started to happen. Maybe
I need to wait longer or maybe it needs to restart msblaster. All you
will see in port 80 connections going to windowsupdate.com. That is
either 204.79.188.11 or 204.79.188.12. So, when it starts it does a
query for windowsupdate.com and which ever IP address it gets first that
is what it hits. You won't see your own source for the DoS either, that
will be generated. Since my PC was on a 192.168.252.0, it was generating
them for 192.168.x.x. That seems to be typical, the first two octets
from your local host and the second two it generates. 

Note: There are no DNS storms created by the DoS and the port scanning
for port 135 keeps going. The spreading of the virus keeps going in
other words.    

Hope this helps.




Good luck,
Christopher Lyon
Sr. Security Development Engineer
Affant Communication (formerly DNS Network Services)
v: 714-338-7106
f: 714-338-7101
cslyonat_private



> -----Original Message-----
> From: Sekurity Wizard [mailto:s.wizardat_private]
> Sent: Wednesday, August 13, 2003 12:03 PM
> To: incidentsat_private
> Subject: msblast.exe --> DDoS against windowsupdate.com (research)
> 
> Hi all,
>   Thought I'd do some research into this little hypothesis we've all
been
> seeing, what will happen on the 16th!?  Well, I've set up a named
server
> (logging ALL queries into it) and an infected Win2k box (ran
msblast.exe
> on it) into the same hub...and then set the date to the 16th......much
to
> my surprise, NOTHING happened.  Literally, nothing.  No scanning for
port
> 135, no DNS storms, no DDoS packets - nothing...what did I do wrong
> or...what does this mean?
> 
> ./Wiz
> 
>
------------------------------------------------------------------------
--
> -
>
------------------------------------------------------------------------
--
> --
> 


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Dennis: "Analysis/decompilation of main() of the msblast worm"
Previous message: Robert Ahnemann: "RE: [Full-Disclosure] Re: new msblaster on the loose?"
Maybe in reply to: Sekurity Wizard: "msblast.exe --> DDoS against windowsupdate.com (research)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 11:32:14 PDT